Bring your own device (BYOD) trends and audit considerations SIFMA IT audit session 4 October 2012
Disclaimer Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited located in the US. This presentation is 2012 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of US and international law. Ernst & Young and its member firms expressly disclaim any liability in connection with use of this presentation or its contents by any third party. The views expressed by panelists are not necessarily those of Ernst & Young LLP. Circular 230 disclaimer Any US tax advice contained herein was not intended or written to be used, and cannot be used, for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions. These slides are for educational purposes only and are not intended, and should not be relied upon, as accounting advice. Page 1
Agenda Overview Evolution of the IT environment Benefits of BYOD Challenges Implementation considerations Mobile device management BYOD risks and controls Mobile security leading practices Page 2
Overview BYOD is a strategy in which organizations allow employees to use their personal devices to access company resources. Increased functionality, such as HR reporting, expense reporting, sales-force automation, customer relationship management (CRM), and asset management on employee devices. BYOD extends the range of the company network and is a result of the consumerization of IT IT s emergence in the consumer market increases personal technology being pulled into the organization. Page 3
Evolution of the IT environment 2006 2008 2010 2012 Achieving i success in a Moving beyond compliance Borderless security Information security globalized world re-invented More third-party relationships Focus on privacy and data protection Brand protection Mobile computing IP Cloud computing Business continuity Social media Operational risk Data is everywhere Need for a fundamental shift in information security Integration and coordination Need for change Need for change Need for change Need for change Low High Low High Low High Low High Source: Ernst & Young 2012 Global Information Security Survey (GISS) information security re-invented Page 4
2012 Global Information Security Survey* keeping track of mobile computing Does your organization currently permit the use of tablet computers for business use? No, and no plans to use in the next 12 months No, but planned within the next 12 months 4.85% 6.47% Increased adoption and shift in responses from the 2011 survey, with more than 85% of respondents indicating an interest in BYOD with varying levels of adoption. *Tablets are under evaluation or very limited use 35.28% Yes, company-owned tablets devices are widely in use 18.12% Yes, private-owned tablets widely in use but not supported by the organization 13.92% Yes, private-owned tablets widely in use and supported by the organization by means of a Bring Your Own Device (BYOD) policy 21.36% *US responses only Page 5
BYOD high-level technology landscape BYOD devices pose the challenge of connecting to corporate servers by transferring data over both secured and unsecured networks: MDM enabled BYOD devices Non-MDM (mobile device management) enabled BYOD devices Corporate wifi networks Non-corporate Corporate wifi networks firewall Wireless carrier networks Internet (unsecured networks) Corporate servers (email, application, etc.) Page 6
Benefits of BYOD Enhanced collaboration and mobility Expanded mobile access to resources Increased employee moral and business productivity Reduced spending on procurement, training and support of devices as well as the responsibility for device life cycle management Relieving IT of the responsibility of managing service plans Implementation process can be shared with end users allow users to self-enroll Operational cost savings through consolidated delivery mechanisms Page 7
Challenges Data security Separating personal data from enterprise data Changing culture more flexibility for employees, reduced control for the IT department New considerations when designing the IT strategy and implementing security policies; aligning user needs and business requirements such as security, HR, legal, availability, integrity Definition of the responsibility for device maintenance cycle Managing an increasing application entitlement inventory Financial industry regulatory requirements requiring supervision and archiving Page 8
Challenges Blurring of work-life boundaries and employee burnout Identity management strategy, given that each employee may have multiple devices connecting to the enterprise network Monitoring performance and capacity becomes more complicated, given that the IT environment is more dynamic Modeling and forecasting system performance becomes more difficult, because the number of devices used is no longer controlled by the organization Users may be reluctant to participate due to concerns regarding privacy Page 9
BYOD implementation considerations A BYOD program that is device agnostic can utilize virtual environments and network segmentation to limit the impact radius of events Separate secure network for BYOD devices similar to guest network Acceptable usage agreements Does the organization collect data from employee-owned devices? What data is collected and how is it used? Is it personally identifiable information? Data classification and user classification A fundamental security component of a BYOD infrastructure is the addition of an MDM (mobile device management) solution Page 10
MDM Centralized mobile device management allows IT departments to set company-wide policies. Over the air programming allows the IT department to remotely configure devices connected to the network. MDM can be used to allow the preapproval of certain applications i.e., white listing. MDM can be deployed using software as a service or housed internally. Page 11
BYOD risks and controls Mobile devices share many of the same risks as stem from the use of laptops. Mobile devices and networks often contain stronger client-side controls that shift the focus away towards device lockdown. Page 12
BYOD risks and controls Scope Risk Potential controls Governance Network security Inadequate policies to define acceptable usage Noncompliance with regulatory requirements (e.g., records of communications by an employee pertaining to the firm s business must be maintained, retrievable and reviewed consistent with SEC Rules 17a-3 and 17a-4 and NASD Rule 31101) The device is lost/stolen and used to gain access to the corporate network BYOD policies outlining the actions end users must take to prevent the misuse or loss of corporate information, monitoring and oversight over enforcement of corporate controls Two factor authentication is used for remote access. Networks for mobile devices are segmented from the corporate network Page 13
BYOD risks and controls Scope Risk Potential controls Privacy Company destroys or corrupts personal data Personally identifiable information is collected without a business requirement Selective remote wipe, disk partitioning and virtualization are implemented on devices. Logical access Device security Devices not in compliance access the network, internal application or database The device is lost or stolen and unauthorized users access sensitive company data Updates are required to connect to the network; installs are pushed out regularly. l Technology controls such as encryption, remote wiping, PIN and password lockout are enforced on the mobile devices. Page 14
2012 Global Information Security Survey* keeping track of mobile computing Controls implemented to mitigate the new or increased risks related to the use of mobile computing None 6.47% Policy adjustments 68.93% New mobile device management software 58.90% New disciplinary i processes 6.15% Increased security awareness activities 48.87% Increased auditing capability 16.50% Governance process to manage the use of mobile applications Encryption techniques 46.60% 60% 51.78% Disallow the use of all tablets / smartphones for professional use 2.91% Architectural changes 37.22% Attack & Penetration testing of mobile applications Allow the use of company-owned devices, but disallow use of personal devices Adjusted incident management processes 13.92% 17.48% 25.57% *US responses only 0.00% 10.00% 20.00% 30.00% 40.00% 50.00% 60.00% 70.00% 80.00% Page 15
Data loss and BYOD BYOD poses unique challenges to organizations and monitoring of mobile computing activity Loss of control over information containers (devices) Companies must focus on protecting the data itself by employing data loss prevention (DLP) techniques File encryption (for data in motion and static) Monitoring of outbound transmissions (monitoring controls for email, restrictions against transferring data to locations other than authorized devices, etc.) Regulatory requirements for monitoring activities. For example: SEC rules 17a-3 and 17a-4 and NASD Rule 31101 records of firm-related business communications made by an employee must be maintained, retrievable and reviewed NASD2210 communication with the public Page 16
Mobile security leading practices Data on devices Locked-down down applications Mobile device management for enforcing encryption and remote wipe Remote exploits Threat intelligence Monitor vendor firmware updates Mobile device management software to monitor device firmware compliance Communications Encrypted inbound and outbound communications Enforced for applications as well as access into corporate network Page 17
Mobile security leading practices Installed applications Mobile device management software to restrict application installation Restrict which app store can be used Due diligence for applications purchased for corporate use Creating applications for mobile devices BYOD Threat modeling Secure software development life cycle (SDLC) tollgates Secure backend infrastructure Enforce minimum supported security baseline configuration Corporate functionality on devices should be kept to a minimum Page 18
What does this mean for your organization? The number of mobile workers worldwide is expected to reach 1.3b by 2015 (Sources: Inside Telecommunications, issue 6. Quarterly talking points from Ernst & Young's Global Telecommunications Center) Consumer obsession with technology will intensify if as manufacturers design and deliver more progressive devices with increased computing power. Denial of the BYOD trend is no longer an option. To successfully transition or institute a BYOD infrastructure, it s critical to understand the confluence of necessary technologies, governance, policies and processes. Page 19
Ernst & Young Assurance Tax Transactions Advisory About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. Ernst & Young is a leader in serving the global financial services marketplace Nearly 35,000 Ernst & Young financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, Ernst & Young is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Office today includes more than 4,000 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America. Ernst & Young professionals in our financial services practices worldwide align with key global industry groups, including Ernst & Young s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industryfocused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients. With a global presence and industry-focused advice, Ernst & Young s financial services professionals provide highquality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide. It s how Ernst & Young makes a difference. 2012 Ernst & Young LLP. All Rights Reserved. 1209-1394613 NY ED 10 Sep 2014